Wrong Distinguished Name in Certificate Request. #154
Description
When I checked the TLS handshake with Wireshark, I noticed radsecproxy sent out the wrong distinguished name.
In theory, the distinguished name in the certificate request should be CA's DN, but instead it sent out the server certificate's DN.
For instance, my CA is,
openssl x509 -in ca.omnine.com.cer -noout -subject
subject=C = GB, ST = London, L = London, O = omnine, OU = RD, CN = ca.omnine.com
my server certificate, which is signed by the above CA, is,
openssl x509 -in radsecproxy2.bletchley19.com.cer -noout -subject
subject=C = GB, ST = London, L = London, O = Deepnet, OU = RD, CN = radsecproxy2.bletchley19.com
In Wireshark, I saw radsecproxy2.bletchley19.com, and I double checked CACertificateFile in conf, it was correct.
Then I check the source code, and found a bug I believe, as it made my java client sent out an empty client certificate.
Once I made the following change, it works,
diff --git a/tlscommon.c b/tlscommon.c
index 5f5f7dc..b6be409 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -522,7 +522,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
calist = sk_X509_NAME_new_null();
if (conf->cacertfile) {
debug(DBG_DBG, "tlsaddcacrl: loading subject names from file %s", conf->cacertfile);
- if (!SSL_add_file_cert_subjects_to_stack(calist, conf->certfile)) {
+ if (!SSL_add_file_cert_subjects_to_stack(calist, conf->cacertfile)) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlsaddcacrl: failed to load CA subject names from file %s", conf->cacertfile);